profile picture

Parth Desai

Blog about Software engineering

Linkedin Github

© 2015. Parth Desai All rights reserved.

Sneaky security vulnerability to watch out for while developing server side OAuth2.0a

Timing attack

This attack is quite common and is applicable to every situation where user sends certain information to the server, and it needs to verify this information by matching it to the information stored in server, or via any cryptographic algorithm whose execution time directly depend upon the input data.

This attack is dependent upon implementation of OAuth2.0, and not the protocol itself.

Timing attack can be used in many ways in Oauth2.0 process. I am giving here an example of one of the simplest scenario.

Example

In the server side OAuth2.0a process, the last call is to exchange authorisation code for an access token. On server side, code will first verify the authorisation code, and then compare received client secret to the stored client secret.

Now, Attacker wants to gain access to this server as this client. She knows the client id, but does not know authorisation code and client secret.

In this case, timing attack would work as follows:

One aspect of this attack, that makes it dangerous is that, we don’t even need to brute force the code and secret anymore. We can just measure time, and predict that whether current byte is valid or not. This can also be easily automated.

Prevention

Further Information